Blu says the data its phones collect is standard. Experts disagree.

Amazon said it's suspending sales of Android phones made by Blu following a presentation last week that said that three of the manufacturer's models sent sensitive personal information to third parties in China.

The data sent to AdUps servers at the time included the full body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity. AdUps officials responded by saying the data collection was a mistake and was being curbed. At Black Hat, however, Kryptowire researcher Ryan Johnson said that three models of Blu phones continued to collect a more limited set of users' personal information. Earlier this week, Amazon officials responded by saying that the online store will stop selling the manufacturer's devices until the issues are fixed.

"We recently learned of a potential security issue on select BLU phones, some of which are sold on Amazon.com," Amazon representatives wrote in a statement. "Because security and privacy of our customers is of the utmost importance, all BLU phone models have been made unavailable for purchase on Amazon.com until the issue is resolved."

A quick search on Amazon as this post was being prepared, however, showed that the online store continued to sell some Blu phone models. It also showed that a separate model, the X16S made by a Blu competitor, Cubot, remained available for purchase despite Kryptowire's warning that it, too, collected personal information. Amazon representatives didn't respond to e-mails seeking clarification. The Amazon offerings didn't include the three Blu models called out by Kryptowire.

Representatives from Blu, meanwhile, strongly disputed claims that any of its phones collect sensitive personal information.

"The data that is currently being collected is standard for [over-the-air update] functionally and basic informational reporting," Blu Marketing Director Carmen Gonzalez wrote in response to the Kryptowire presentation. "This is in line with every other smartphone device manufacturer in the world. There is nothing out of the ordinary that is being collected, and certainly does not affect any user's privacy or security."

“Surveillance typical in China”

Kryptowire said on Wednesday that it stands by its findings, and the company provided some of the technical information other researchers could use to confirm the data collection. The firm identified three phones made by Blu—the Grand M, Life One X2, and Advance 5.0. The first two sent a variety of data—including cell tower ID and location, phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, a list of installed applications, and a list of installed applications with timestamps—to a server in China. The Blu Advance 5.0 contained code-execution and logging capabilities that could be used by third-party apps, a vulnerability that has remained unfixed since late last year. A separate phone made by a different manufacturer—the Cubot X16S—sent a variety of personal data, including users' browsing history, to China-based services. The X16S also had the capability to send text messages when instructed by the third-party server.

At least one mobile phone security expert not involved in the controversy agreed with Kryptowire that the Blu phones represented a serious threat to users' privacy.

"By forgetting to remove this code on phones being sold to the US, Blu has exported the surveillance that is typical in China to buyers that are unaware elsewhere in the world," Dan Guido, CEO of security firm Trail of Bits, told Ars. The data being surveilled includes all the most sensitive information that a person would produce with their phone. Amazon is fully justified in their decision, and I encourage them to crack down further on similar privacy issues with Android phones sold on their website."

Further Reading

Kryptowire's warnings are troubling for millions of owners of low-cost phones. To keep prices low, manufacturers of these devices often turn to discount providers of over-the-air updates. As a result, there are legitimate concerns about the safety of their data collection practices.

"These are all examples illustrative of the firmware security issues," Kryptowire Vice President Tom Karygiannis told Ars. "Blu is getting beat up a bit, but a bigger issue is who else is doing it and how does anyone know?"

Promoted Comments

Even though the Wireless Update can be force stopped and disabled, and that is exactly what is recommended, there is another process on the phone that not only re-enables it, but starts it again. I've stopped and disabled it twice, but it later re-enabled and restarted. There is something a bit more nefarious going on if it won't stay stopped and disabled.

To disable, go into Settings > Apps. Click the three down dots next to the gear icon and choose Show System. Scroll to the Wireless Update app and click on it. Click the Force Stop button and then the Disable button.

"By forgetting to remove this code on phones being sold to the US, Blu has exported the surveillance that is typical in China to buyers that are unaware elsewhere in the world," Dan Guido, CEO of security firm Trail of Bits

that's giving them quite a bit more credit that I would, about that "accidental forgetting" ...

If you want a cheaper phone, and aren't willing to pay for a Motorola, Nokia, or their mid-range kin -- Xiaomi allows the bootloader to be unlocked and they release ROM's for almost their whole line of devices on an ongoing regular basis.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

How the hell is this "standard information" to be collected?

They genuinely have a very good argument from the perspective of what Google and other parties collect and / or analyze. Swiftkey as an example will data mine your text messages, email, and Facebook for your writing style to "personalize" your predictions (the latter two of which they ask for account login / connection).

The issue is usage, purpose, and level of analytics versus anonymzing. Again, Google used to be quite transparent about email scanning of GMail as an example, but things have continually gotten more opaque.

Going deeper, we have a lot of parties which claim to anonymize your data, but a large number of marketing companies which have claimed and demonstrated the ability to unmask and link individuals across platforms. One such examples is when I search for something at my desktop on eBay, I will instantly get targeted advertising in my Facebook feed from eBay on my phone. I don't have the Facebook or eBay apps on my phone -- they are linking data from desparate data sources such as the fact that my eBay and Facebook account have the same email address -- but where are they getting that data? Oh, Facebook must be sharing my email address with eBay so eBay (or an "affiliate") can target advertising.

Is what Blu and these other Chinese companies doing wrong? Absolutely. Is it unusual within the big data industry? Nope. Anybody remember CarrierIQ?

These problems are endemic to the use of big data + cloud instead of local applications keeping data private. It is the data interchange model used for smartphone applications. The entire design is at fault. Looking back 20 years ago at the PC, if a third party program that was not meant to explicitly plug into let's say Outlook or Lotus Notes was grabbing your email databases and scraping them, it would be called computer hacking and people might even end up in jail. In the mobile era, this is standard operating procedures. Tons of apps have absurd permissions requirements.

Much of this falls on Google as unusual permissions for the scope of an applications should be part of their validation process. In this respect they consistently fail the consumer. That is step one, curate the garden and then remove programs which are misbehaving. The same goes for the core of Android which Blu (and others) monkey with.

If Google would instead use the distribution model of Windows, MacOS, or iOS, that is they make the OS and it is installed vanilla on devices by default, they could correctly secure against methods that make use of monkeying with the ROM. Handset manufacturers couls still customize the ROMs by installing their apps at startup, just like the way on first time setup Android restores data from an existing phone. Similarly, it would give them control over updates which fixed exploits leveraged by lesser handset makers. Again, it is not in Google's interest to provide this kind of customer experience. They wouldn't allow apps in the store with absurd permission requests if they cared.

This shouldn't be Amazon taking action to protect consumers, this should be Google pulling Blu's Android licensing and leveraging Play Services updates to slip a kill switch for the spying. It's Google's Android product which is the commonality and root of these problems.

Agreed, although I am even more terrified by the thought that the Chinese intelligence community may use Lenovo/ Motorola products to gather that data at some point too as their products are used in businesses everywhere and by a lot of people as well. Some of those people, I'm sure, have access to sensitive information.

Edit: there vs. their. Also clarified some.

Okay, I'm impressed by the fact you got no down-votes for that.

I've been saying the same things for years and get buried. China doesn't have OUR best interests at heart. If they think they can get away with spying on us, they will (to be fair, we do it to them, too, albeit (hopefully) with less corporate complicity than they have).

I simply don't trust Chinese made parts or products anymore when it comes to privacy. This wasn't always the case, but it's becoming increasingly apparent that data gathering is going on in Chinese-made connected devices. It's also exceptionally likely that such data gathering is state-sponsored, or at the very least state-approved. I say this because if it wasn't, and this kind of stuff was happening to the Chinese people, too, chances are good that the executives of the company would be executed after a very quick show-trial.

One wouldn't do this kind of thing over there without the knowledge and blessing of the Central Committee.

People called me paranoid before. I just know how governments tend to operate. I won't deny that I tend toward paranoia at times (mostly because I lack the authority to provide the proof), but one can be both paranoid, and correct, at the same time. Just because you're paranoid doesn't mean you're not being watched, after all...

How do i get this data from my cell phone sent to me?... how much data does this use?... does the phone store it so i can download it?.

Quote:

The data sent to AdUps servers at the time included the full body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity

Agreed, although I am even more terrified by the thought that the Chinese intelligence community may use Lenovo/ Motorola products to gather that data at some point too as their products are used in businesses everywhere and by a lot of people as well. Some of those people, I'm sure, have access to sensitive information.

Edit: there vs. their. Also clarified some.

Okay, I'm impressed by the fact you got no down-votes for that.

I've been saying the same things for years and get buried. China doesn't have OUR best interests at heart. If they think they can get away with spying on us, they will (to be fair, we do it to them, too, albeit (hopefully) with less corporate complicity than they have).

I simply don't trust Chinese made parts or products anymore when it comes to privacy. This wasn't always the case, but it's becoming increasingly apparent that data gathering is going on in Chinese-made connected devices. It's also exceptionally likely that such data gathering is state-sponsored, or at the very least state-approved. I say this because if it wasn't, and this kind of stuff was happening to the Chinese people, too, chances are good that the executives of the company would be executed after a very quick show-trial.

One wouldn't do this kind of thing over there without the knowledge and blessing of the Central Committee.

People called me paranoid before. I just know how governments tend to operate. I won't deny that I tend toward paranoia at times (mostly because I lack the authority to provide the proof), but one can be both paranoid, and correct, at the same time. Just because you're paranoid doesn't mean you're not being watched, after all...

Don't worry, you're not alone in your paranoia. I think the reason that people suppress (and subsequently repress) these ideas is because they want to believe that technology is fundamentally good, that the devices that they spend sometimes considerable sums of money on are "theirs", and that the world is a generally nice place and not a $#!+show run by power-mad psychopaths.

I find that technological Edenism is somewhat prevalent amongst those who work in technological fields, and while I definitely appreciate the desire to feel good about the work you've set out to do and the career you've invested in, the truth is that technology is being used much more for dystopian ends than for utopian ones.

Checking the XDA forums, turns out that you could mod the Blu R1HD's rom, but a recent OTA update disabled that option and locked the bootloader. Hmm.

Does the Amazon version and the regular version share the same update process? Amazon subsidizes the phones with ads so I don't think it is in Amazon's interests for you to be able to unlock the bootloader and do away with the ads.

Chances are that this happened because people were finally getting close to getting a useful version of Lineage OS rom for this phone.

Even though the Wireless Update can be force stopped and disabled, and that is exactly what is recommended, there is another process on the phone that not only re-enables it, but starts it again. I've stopped and disabled it twice, but it later re-enabled and restarted. There is something a bit more nefarious going on if it won't stay stopped and disabled.

To disable, go into Settings > Apps. Click the three down dots next to the gear icon and choose Show System. Scroll to the Wireless Update app and click on it. Click the Force Stop button and then the Disable button.

Personally I don't need an uber phone to do stuff ie I still use a computer as my main digital device so the approach I take is I buy a gen or 2 behinds flagship. Current phone I use now is an LG G3 good cpu and ram lets me do basically everything I need of it the LG G5 is a meh update and honestly even the G6 seems only slightly better so no need for an upgrade there either.

Personally I don't need an uber phone to do stuff ie I still use a computer as my main digital device so the approach I take is I buy a gen or 2 behinds flagship. Current phone I use now is an LG G3 good cpu and ram lets me do basically everything I need of it the LG G5 is a meh update and honestly even the G6 seems only slightly better so no need for an upgrade there either.

The problem is the phone carriers and manufacturers have a vested interest in dropping support for older phones fast. Then when there is a critical flaw in the firmware, you discover you cannot patch it without replacing the device.

Granted, the users of the low end phones generally don't see firmware updates for long either.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

How the hell is this "standard information" to be collected?

In fairness to Blu, their statement is saying the more limited set of data collected now is standard. Everyone has conceded that the data collected earlier was a mistake.

is the data collected now being sent to China?

Last time Ars reported on the egregious data leak Blu had updates out within a week.

My R1 HD has had two security updates since I bought it last July 2016...

Are they collecting data and sending it to China or not because this article -along with your post- is confusing me.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

How the hell is this "standard information" to be collected?

In fairness to Blu, their statement is saying the more limited set of data collected now is standard. Everyone has conceded that the data collected earlier was a mistake.

"Kryptowire's warnings are troubling for millions of owners of low-cost phones. To keep prices low, manufacturers of these devices often turn to discount providers of over-the-air updates. As a result, there are legitimate concerns about the safety of their data collection practices."

Isn't this exactly what the whole point of Android is? Cheap phones subsidized by a willingness to give up privacy. Google has always been open about this.

No. The point of Android is to provide an alternative for those of us that refuse to become apple fanboys.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

How the hell is this "standard information" to be collected?

In fairness to Blu, their statement is saying the more limited set of data collected now is standard. Everyone has conceded that the data collected earlier was a mistake.

"Kryptowire's warnings are troubling for millions of owners of low-cost phones. To keep prices low, manufacturers of these devices often turn to discount providers of over-the-air updates. As a result, there are legitimate concerns about the safety of their data collection practices."

Isn't this exactly what the whole point of Android is? Cheap phones subsidized by a willingness to give up privacy. Google has always been open about this.

No. The point of Android is to provide an alternative for those of us that refuse to become apple fanboys.

Personally I don't need an uber phone to do stuff ie I still use a computer as my main digital device so the approach I take is I buy a gen or 2 behinds flagship. Current phone I use now is an LG G3 good cpu and ram lets me do basically everything I need of it the LG G5 is a meh update and honestly even the G6 seems only slightly better so no need for an upgrade there either.

The problem is the phone carriers and manufacturers have a vested interest in dropping support for older phones fast. Then when there is a critical flaw in the firmware, you discover you cannot patch it without replacing the device.

Granted, the users of the low end phones generally don't see firmware updates for long either.

Apple doesn’t have that problem. And that’s why I wish Android was more like Windows; no matter what brand of PC you have you always get updates and security patches in a timely matter.

The data sent to AdUps servers at the time included the full-body of text messages, contact lists, call histories with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity and the International Mobile Equipment Identity.

How the hell is this "standard information" to be collected?

I'd agree that the people(whether silicon valley darlings or random Chinese OEMs) who do this should be taken out and burned alive as a warning to others; but this sort of aggressive contact scraping and full text ad targeting isn't nearly as far from what 'respectable' outfits are constantly seeing if they can get away with.

Linkedin used to love contact spamming, not sure if MS has cleaned them up any(or just renamed it 'telemetry'); collecting phone numbers and IMEIs is pretty much assumed for the handset vendor(and the current work on 'e-SIM' is basically intended to save a small amount of board real estate by putting provisioning of your cell number and network credentials permenently under the control of the platform vendor).

The quality of this particular software appears to be dire even by smartphone standards; but in the panopticon hellscape of 'mobile'; they are more notable for being Chinese than for being nosy.

Agreed, although I am even more terrified by the thought that the Chinese intelligence community may use Lenovo/ Motorola products to gather that data at some point too as their products are used in businesses everywhere and by a lot of people as well. Some of those people, I'm sure, have access to sensitive information.

Edit: there vs. their. Also clarified some.

Okay, I'm impressed by the fact you got no down-votes for that.

I've been saying the same things for years and get buried. China doesn't have OUR best interests at heart. If they think they can get away with spying on us, they will (to be fair, we do it to them, too, albeit (hopefully) with less corporate complicity than they have).

I simply don't trust Chinese made parts or products anymore when it comes to privacy. This wasn't always the case, but it's becoming increasingly apparent that data gathering is going on in Chinese-made connected devices. It's also exceptionally likely that such data gathering is state-sponsored, or at the very least state-approved. I say this because if it wasn't, and this kind of stuff was happening to the Chinese people, too, chances are good that the executives of the company would be executed after a very quick show-trial.

One wouldn't do this kind of thing over there without the knowledge and blessing of the Central Committee.

People called me paranoid before. I just know how governments tend to operate. I won't deny that I tend toward paranoia at times (mostly because I lack the authority to provide the proof), but one can be both paranoid, and correct, at the same time. Just because you're paranoid doesn't mean you're not being watched, after all...

Don't worry, you're not alone in your paranoia. I think the reason that people suppress (and subsequently repress) these ideas is because they want to believe that technology is fundamentally good, that the devices that they spend sometimes considerable sums of money on are "theirs", and that the world is a generally nice place and not a $#!+show run by power-mad psychopaths.

I find that technological Edenism is somewhat prevalent amongst those who work in technological fields, and while I definitely appreciate the desire to feel good about the work you've set out to do and the career you've invested in, the truth is that technology is being used much more for dystopian ends than for utopian ones.